CVE-2024-40646
Analyzed Analyzed - Analysis Complete
Path Traversal in Vertex Media Manager

Publication date: 2026-06-01

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
Vertex is a management tool for PT (Private Tracker) users to manage streaming and watching videos. Versions prior to commit fbde301b97986d5913fc4bc95f5445750d282e11 are vulnerable to path traversal. Users should upgrade to a version containing commit fbde301b97986d5913fc4bc95f5445750d282e11 to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-08
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2024-40646
EUVD
EUVD-2024-55604
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vertex-app vertex to 2024-07-17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized attackers to perform path traversal attacks, enabling them to access arbitrary files on the server, including potentially sensitive data. This unauthorized access to confidential information could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

Because the vulnerability can expose sensitive files without authentication or user interaction, it increases the risk of data breaches, which are subject to regulatory reporting and penalties under these standards.

Applying the patch that validates file paths and prevents access outside intended directories is essential to maintain compliance with these regulations by protecting confidentiality and limiting unauthorized data exposure.

Executive Summary

CVE-2024-40646 is a high-severity path traversal vulnerability in the vertex-app/vertex project affecting versions prior to a specific commit. This vulnerability allows attackers to manipulate file path inputs to access arbitrary files on the server that should be restricted.

For example, an attacker could craft a URL that traverses directories to read sensitive system files such as /etc/passwd. The vulnerability does not require authentication, user interaction, or elevated privileges to exploit, making it particularly dangerous.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive files on the server, potentially exposing confidential information.

  • High confidentiality impact due to unauthorized data access.
  • Low integrity impact as attackers have limited ability to modify data.
  • Low availability impact with minimal service disruption.

Because the vulnerability can be exploited remotely without authentication or user interaction, it poses a significant security risk.

Detection Guidance

This vulnerability can be detected by attempting to access files outside the intended static directories via crafted URLs that include path traversal sequences such as "../".

For example, you can try to access sensitive files like /etc/passwd by sending HTTP requests with URLs similar to:

  • curl -v http://<vertex-server>:<port>/assets/js/../../../../../../../../../../../../../../../../etc/passwd
  • wget http://<vertex-server>:<port>/assets/js/../../../../../../../../../../../../../../../../etc/passwd -O -

If the server responds with the contents of the file or does not return a 404 error, it indicates the presence of the path traversal vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade the vertex-app/vertex software to a version that includes the patch introduced in commit fbde301b97986d5913fc4bc95f5445750d282e11.

This patch adds path validation checks to ensure that file download requests are restricted to intended static directories and returns a 404 error for invalid paths, preventing path traversal exploits.

Until the upgrade can be applied, consider restricting access to the vulnerable endpoints or implementing network-level controls such as firewall rules to block suspicious requests containing path traversal patterns.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-40646. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart